In this news, we discuss the Microsoft attempts takedown of global criminal botnet.
Microsoft on Monday announced a lawsuit aimed at disrupting a major digital cybercrime network that uses more than one million zombie computers to loot bank accounts and spread ransomware, which experts see as a major threat to the election. US presidential election. The operation to turn off offline command and control servers for a global botnet that uses an infrastructure called Trickbot to infect computers with malware was started with an order that Microsoft obtained in Virginia federal court on October 6. Microsoft has argued that the crime ring is abusing its brand.
“It’s very difficult to say how effective it will be, but we are confident that it will have a very long lasting effect,” said Jean-Ian Boutin, head of threat research at ESET, one of several. cybersecurity companies that have partnered with Microsoft to map command and control servers. “We’re sure they will notice it and it will be difficult for them to get back to the state the botnet was in.” Cyber security experts have said Microsoft’s use of a U.S. court order to persuade ISPs to take down botnet servers is commendable. But they add that it’s not likely to be successful because too many people don’t comply and because the Trickbot operators have a decentralized back-up system and use encrypted routing.
Paul Vixie of Farsight Security said via email: “Experience tells me this is not going to change – there is too much IP behind uncooperative national borders.” And cybersecurity firm Intel 471 did not report any significant impact on Trickbot’s operations on Monday and predicted “little impact in the medium to long term” in a report shared with the Associated Press. But ransomware expert Brett Callow of cybersecurity firm Emsisoft said that a temporary shutdown of Trickbot could, at least during the election, limit attacks and prevent the activation of ransomware on already infected systems.
The announcement follows a Washington Post report on Friday of a major – but ultimately unsuccessful – effort by the U.S. Army Cyber Command to dismantle Trickbot from last month with direct attacks rather than asking vendors to refuse hosting to domains used by command and control servers. A US policy called “persistent engagement” allows US cyber warriors to engage hostile hackers in cyberspace and disrupt their operations with code, which Cybercom did against Russian disinformation jockeys in the midterm elections in the United States in 2018.
Created in 2016 and used by an informal consortium of Russian-speaking cybercriminals, Trickbot is a digital superstructure for sowing malware into the computers of individuals and sites Unintentional web. In recent months, its operators have increasingly leased it out to other criminals who have used it to plant ransomware, which encrypts data on target networks, crippling them until victims pay.
One of the biggest reported victims of a variety of ransomware planted by Trickbot called Ryuk was hospital chain Universal Health Services, which said all 250 U.S. facilities were hampered by an attack last month that forced medics and nurses to use pencil and paper. US Department of Homeland Security officials see ransomware as a major threat to the November 3 presidential election. They fear an attack could freeze state or local voter registration systems, disrupt voting, or suppress voting rights. sites Results report web.
While cybersecurity experts claim the operators of Trickbot and affiliated digital crime syndicates are Russian speakers based primarily in Eastern Europe, they warn that they are driven by profit, not politics. They operate, however, with impunity and without interference from the Kremlin as long as their targets are abroad. “In today’s world, Trickbot is a type of plague,” said Alex Holden, founder of Milwaukee-based Hold Security, which closely follows its dark web activity, “and a government that ignores a global scourge is more than complacent. “Trickbot is ‘malware-as-a-service’, its modular architecture allows it to be used as a delivery mechanism for a wide range of criminal activity. It started primarily as a so-called banking Trojan that attempts to steal the credentials of an online bank account so that criminals can fraudulently transfer money.
But recently, researchers have noted an increase in the use of Trickbot in ransomware attacks targeting everything from city and state governments to school districts and hospitals. Ryuk and another type of ransomware called Conti – also distributed via Trickbot – dominated attacks on the U.S. public sector in September, Emsisoft said. Holden said Cybercom’s reported disruption – involving efforts to confuse its setup via code injections – had succeeded in temporarily disrupting communications between command and control servers and most bots.
“But it’s not a decisive victory,” he said, adding that the botnet has rebounded with new victims and ransomware. The disruption – in two waves that began on September 22 – was first reported by cybersecurity reporter Brian Krebs.
The AP could not immediately confirm Cybercom’s reported involvement.
- But ransomware expert Brett Callow of cybersecurity firm Emsisoft said that a temporary shutdown of Trickbot could, at least during the election, limit attacks and prevent the activation of ransomware on already infected systems. The announcement follows a Washington Post report on Friday of a major – but ultimately unsuccessful – effort by the U.S. Army Cyber Command to dismantle Trickbot from last month with direct attacks rather than asking vendors to refuse hosting to domains used by command and control servers.
- Microsoft tries to destroy global criminal botnet